FTC proposes stricter online privacy rules for children

The Federal Trade Commission today issued proposed revisions to the Children’s Online Privacy Protection Rule, in an effort to ensure that privacy regulations keep pace with the changing online world.

Under the proposal, the rules would now specifically apply to mobile phones and the definition of “personal information” would expand to include data derived from tracking cookies and geolocation. That would force sites to secure parental consent before using very common online tools to gather information about children under 13.

“We believe (the rules) will help address a number of concerns raised

by consumer groups, privacy experts, and child advocates, while at the same time, balancing children’s ability to be active participants in digital culture with the need to protect them from unfair data collection and marketing practices,” said Kathryn Montgomery, professor of communication at American University, in a statement issued by the Center for Digital Democracy in Washington, D.C.

But critics say the rules would also create some sizable technical hurdles as well as legal uncertainties.

“It is unclear how an expanded COPPA regulatory regime would work without requiring mandatory online age verification of all Internet users, which would raise serious constitutional issues,” wrote Adam Thierer, a senior research fellow at the Mercatus Center, a free market think tank.

It would, for one thing, seem to require sites to know when a 12-year old sat down at a desktop computer regularly used by their mother, father or older sibling.

Web browser cookies are data files that store information to help sites identify a particular computer, which is used as a sort of best guess for identifying an actual person in the hopes of targeting advertising to online behavior.

Meanwhile, geolocation data tracks the physical location of a person from information collected on mobile devices, through check-in apps like Foursquare, or map or navigation applications.

There are concerns that inserting an age verification process could make these sorts of tools more cumbersome, or undermine advances.

Jim Steyer, CEO of Common Sense Media, said the industry is crying wolf, as it always does when staring at new privacy rules. These are all solvable technical issues for the deep-pocketed tech sector, he said.

“The big players are coining money on this, it’s a boom time in the Valley, so to suggest that they don’t have the resources from a technical standpoint is a joke,” he said.

“You’re talking about companies with $100 billion valuations,” he said. “They have a lot of money and brilliant engineers and we continually tout the innovation of Silicon Valley. So our point is: figure it out, kids matter.”

The FTC is seeking public comment on the proposed amendments.

“In this era of rapid technological change, kids are often tech savvy but judgment poor,” FTC Chairman Jon Leibowitz said in a prepared statement. “We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses.”

The COPPA Rule requires covered operators to obtain parental consent before collecting personal information from children. The FTC proposes updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers used for functions other than the website’s internal operations, such as tracking cookies used for behavioral advertising. In addition, the Commission proposes modifying the definition of “collection” so operators may allow children to participate in interactive communities, without parental consent, so long as the operators take reasonable measures to delete all or virtually all children’s personal information before it is made public.

Parental Notice

The proposed amendments also seek to streamline and clarify the direct notice that operators must give parents prior to collecting children’s personal information. The proposed revisions are intended to ensure that key information will be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy.

Parental Consent Mechanisms:

The FTC also proposes adding new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done. These supplement the nonexclusive list of methods already set forth in the Rule.

The FTC proposes eliminating the less-reliable method of parental consent, known as “e-mail plus,” which is available to operators that collect personal information only for internal use. This method currently allows operators to obtain consent through an email to the parent, coupled with another step, such as sending a delayed email confirmation to the parent after receiving consent.

To encourage the development of new consent methods, the Commission proposes establishing a voluntary 180-day notice and comment process whereby parties may seek Commission approval of a particular consent mechanism. In addition, the Commission proposes permitting operators participating in a Commission approved safe-harbor program to use a method permitted by that program.

Confidentiality and Security Requirements:

To better protect children’s personal information, the Commission proposes strengthening the Rule’s current confidentiality and security requirements. Specifically, the Commission proposes adding a requirement that operators ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect it, that operators retain the information for only as long as is reasonably necessary, and that they properly delete that information by taking reasonable measures to protect against unauthorized access to, or use in connection with, its disposal.

Safe Harbor:

Finally, the FTC proposes to strengthen its oversight of self-regulatory “safe harbor programs” by requiring them to audit their members at least annually and report periodically to the Commission the results of those audits.